The Five Greatest Myths About ISO 27001

Monday, January 31, 2011

Dejan Kosutic


Very often I hear things about ISO 27001 and I don't know whether to laugh or cry over them.

Actually it is funny how people tend to make decisions about something they know very little about - here are the most common misconceptions:

"The standard requires..."

"The standard requires passwords to be changed every 3 months." "The standard requires that multiple suppliers must exist." "The standard requires the disaster recovery site to be at least 50 km distant from the main site."

Really? The standard doesn't say anything like that. Unfortunately, this kind of false information I hear rather often - people usually mistake best practice for requirements of the standard, but the problem is that not all security rules are applicable to all types of organizations.

And the people who claim this is prescribed by the standard have probably never read the standard.

"We'll let the IT department handle it"

This is the management's favorite - "Information security is all about IT, isn't it?" Well, not really - the most important aspects of information security include not only IT measures, but also organizational issues and human resource management, which are usually out of reach of IT department. See also Information Security or IT Security.

"We'll implement it in a few months"

You could implement your ISO 27001 in 2 or 3 months, but it won't work - you would only get a bunch of policies and procedures no one cares about. Implementation of information security means you have to implement changes, and it takes time for changes to take place.

Not to mention that you must implement only those security controls that are really needed, and the analysis of what is really needed takes time - it is called risk assessment and risk treatment.

"This standard is all about documentation"

Documentation is an important part of ISO 27001 implementation, but the documentation is not an end in itself. The main point is that you perform your activities in a secure way, and the documentation is here to help you do it.

Also, the records you produce will help you measure whether you achieve your information security goals and enable you to correct those activities that underperform.

"The only benefit of the standard is for marketing purposes"

"We are doing this only to get the certificate, aren't we?" Well, this is (unfortunately) the way 80 percent of the companies think.

I'm not trying to argue here that ISO 27001 shouldn't be used in promotional and sales purposes, but you can also achieve other very important benefits - like preventing the case of WikiLeaks happening to you.

See also Four Key Benefits of ISO 27001 Implementation and Lessons Learned from WikiLeaks: What is Exactly Information Security?

The point here is - read ISO 27001 first before you form your opinion about it; or, if it's too boring for you to read it (which I admit it is), consult with someone who has some real knowledge about it. And try to get some other benefits, other than marketing.

In other words, increase your chances to make a profitable investment in information security.

Cross posted from ISO 27001 & BS 25999 blog 

Complete ISO 27001/ BS-25999-2 Webinar Schedule:

February 2, February 14 - ISO 27001 Foundations Part 1: ISMS Planning Phase, Documentation and Records Control

February 15, February 21 - ISO 27001 Foundations Part 2: Implementation, Monitoring and Reviewing, Maintaining and Improving the ISMS

FREE WEBINAR - February 16 - ISO 27001 & BS 25999-2: Why is It Better to Implement Them Together?

February 16, February 22 - Internal Audit: How to Conduct it According to ISO 27001 and BS 25999-2

February 16, February 23 - ISO 27001 Lead Auditor Course Preparation Training

February 17, February 23 - BS 25999-2 Foundations Part 1: Business Impact Analysis

February 22, March 7 - ISO 27001 Foundations Part 3: Annex A Overview

FREE WEBINAR - February 23 - ISO 27001: An Overview of ISMS Implementation Process

February 24, March 9 - BS 25999-2 Foundations Part 2: Business Continuity Strategy

March 8, March 21 - Risk Management Part 1: Risk Assessment Methodology and Risk Assessment Process

FREE WEBINAR - March 9 - BS 25999-2: An Overview of BCM Implementation Process

March 9, March 22 - How to Become ISO 27001 / BS 25999-2 Consultant

March 10, March 23 - BS 25999-2 Foundations Part 3: Business Continuity Planning

March 22, April 4 - Risk Management Part 2: Risk Treatment Process, Statement of Applicability and Risk Treatment Plan

FREE WEBINAR - March 23 - ISO 27001 Implementation: How to Make It Easier Using ISO 9001

March 23, April 6 - ISO 27001 / BS 25999-2 Management Responsibilities: What Does Management Need to Know?

March 24, April 18 - How to Write Four Mandatory Procedures for ISO 27001 and BS 25999-2

April 5, April 19 - ISO 27001 A.6 & A.8: Organization of Information Security; External Parties; Raising Awareness, Training and HR Management

April 5, April 20 - ISO 27001 and ISO 27004: How to Measure the Effectiveness of Information Security?

FREE WEBINAR - April 6 - ISO 27001/BS 25999-2: The Certification Process

April 6, April 19 - ISO 27001 A.7: Asset Management and Classification

Possibly Related Articles:
Certification Compliance Security Audits ISO 27001 Network Security
Post Rating I Like this!
Franc Schiphorst You can't implement it in a few months as checking that it has been implemented and audited by yourself is part of the certification. i would not cal it implemented if it has not been externaly certified.
You would have to write it up in a month, implement it and then audit it.
And of course there are the extrenal audits that take a couple of months to plan and execute.

Regarding it's an IT thing. Don't know about your IT department but our's not into paper shredding, gates, fences and hiring to name but a few non it aspects ;)

And it's very hard just to set it up for marketing (and have it certified) and it would be a waste of money to just use it for marketing. Just like the other ISO systems you can get a better organisation. If only because you usually dig up some skeletons :)

Not sure about the wikileaks protection as this may be a risk you have not identified and thus not have mitigationg controls in place.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.